diff options
-rw-r--r-- | docs/sections/services/ves-http/index.rst | 1 | ||||
-rw-r--r-- | docs/sections/services/ves-http/installation-helm.rst | 132 | ||||
-rw-r--r-- | docs/sections/tls_enablement.rst | 72 |
3 files changed, 203 insertions, 2 deletions
diff --git a/docs/sections/services/ves-http/index.rst b/docs/sections/services/ves-http/index.rst index 5b56d44f..7f444247 100644 --- a/docs/sections/services/ves-http/index.rst +++ b/docs/sections/services/ves-http/index.rst @@ -23,6 +23,7 @@ VES Collector (HTTP) overview and functions ./configuration.rst ./delivery.rst ./installation.rst + ./installation-helm.rst ./tls-authentication.rst ./stnd-defined-validation.rst diff --git a/docs/sections/services/ves-http/installation-helm.rst b/docs/sections/services/ves-http/installation-helm.rst new file mode 100644 index 00000000..9728e64b --- /dev/null +++ b/docs/sections/services/ves-http/installation-helm.rst @@ -0,0 +1,132 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. _ves-installation-helm:
+
+VES Collector Helm Installation
+===============================
+
+Authentication Support - Helm based deployment
+----------------------------------------------
+
+VES Collector support following authentication types
+
+ * *auth.method=noAuth* - no security (http)
+ * *auth.method=certBasicAuth* - is used to enable mutual TLS authentication or/and basic HTTPs authentication
+
+Default ONAP deployed VESCollector is configured for "certBasicAuth".
+
+The default behavior can be changed by upgrading dcaegen2-services deployment with custom values:
+ .. code-block:: bash
+
+ helm -n <namespace> upgrade <DEPLOYMENT_PREFIX>-dcaegen2-services --reuse-values --values <path to values> <path to dcaegen2-services helm charts>
+
+For example:
+ .. code-block:: bash
+
+ helm -n onap upgrade dev-dcaegen2-services --reuse-values --values new-config.yaml oom/kubernetes/dcaegen2-services
+
+Where the contents of ``new-config.yaml`` file is:
+ .. code-block:: bash
+
+ dcae-ves-collector:
+ applicationConfig:
+ auth.method: "noAuth"
+
+For small changes like this, it is also possible to inline the new value:
+ .. code-block:: bash
+
+ helm -n onap upgrade dev-dcaegen2-services --reuse-values --set dcae-ves-collector.applicationConfig.auth.method="noAuth" oom/kubernetes/dcaegen2-services
+
+After the upgrade, the new auth method value should be visible inside dev-dcae-ves-collector-application-config-configmap Config-Map.
+It can be verified by running:
+ .. code-block:: bash
+
+ kubectl -n onap get cm <config map name> -o yaml
+
+For VES Collector:
+ .. code-block:: bash
+
+ kubectl -n onap get cm dev-dcae-ves-collector-application-config-configmap -o yaml
+
+
+.. _external-repo-schema-via-helm:
+
+External repository schema files integration with VES Collector
+-------------------------------------------------------------------
+In order to utilize the externalRepo openAPI schema files defined in `OOM <https://gerrit.onap.org/r/gitweb?p=oom.git;a=tree;f=kubernetes/dcaegen2-services/resources/external>`_ repository and installed with dcaegen2 module, follow below steps.
+
+1. Go to directory with dcaegen2-services helm charts (oom/kubernetes/dcaegen2-services). These charts should be located on RKE deployer node or server which is used to deploy and manage ONAP installation by Helm charts.
+2. Create file with specific VES values-overrides:
+
+.. code-block:: yaml
+
+ dcae-ves-collector:
+ externalVolumes:
+ - name: '<config map name with schema mapping file>'
+ type: configmap
+ mountPath: <path on VES collector container where externalRepo schema-map is expected>
+ optional: true
+ - name: '<config map name contains schemas>'
+ type: configmap
+ mountPath: <path on VES collector container where externalRepo openAPI files are stored>
+ optional: true
+
+E.g:
+
+.. code-block:: yaml
+
+ dcae-ves-collector:
+ externalVolumes:
+ - name: 'dev-dcae-external-repo-configmap-schema-map'
+ type: configmap
+ mountPath: /opt/app/VESCollector/etc/externalRepo
+ optional: true
+ - name: 'dev-dcae-external-repo-configmap-sa91-rel16'
+ type: configmap
+ mountPath: /opt/app/VESCollector/etc/externalRepo/3gpp/rep/sa5/MnS/blob/Rel-16-SA-91/OpenAPI
+ optional: true
+
+If more than a single external schema is required add new config map to object 'externalVolumes' like in above example. Make sure that all external schemas (all openAPI files) are reflected in the schema-map file.
+
+3. Upgrade release using following command:
+
+.. code-block:: bash
+
+ helm -n <namespace> upgrade <dcaegen2-services release name> --reuse-values -f <path to values.yaml file created in previous step> <path to dcaegen2-services helm chart>
+
+E.g:
+
+.. code-block:: bash
+
+ helm -n onap upgrade dev-dcaegen2-services --reuse-values -f values.yaml .
+
+
+Using external TLS certificates obtained using CMP v2 protocol
+--------------------------------------------------------------
+
+In order to use the X.509 certificates obtained from the CMP v2 server (so called "operator`s certificates"), refer to the following description:
+
+:ref:`Enabling TLS with external x.509 certificates <external-tls-helm>`
+
+Example values for VES Collector:
+ .. code-block:: bash
+
+ global:
+ cmpv2Enabled: true
+ dcae-ves-collector:
+ useCmpv2Certificates: true
+ certificates:
+ - mountPath: /opt/app/dcae-certificate/external
+ commonName: dcae-ves-collector
+ dnsNames:
+ - dcae-ves-collector
+ - ves-collector
+ - ves
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: ves-cmpv2-keystore-password
+ key: password
+ create: true
+
diff --git a/docs/sections/tls_enablement.rst b/docs/sections/tls_enablement.rst index bd907697..e5dc3d50 100644 --- a/docs/sections/tls_enablement.rst +++ b/docs/sections/tls_enablement.rst @@ -113,8 +113,8 @@ that is available in R6 but is not currently being used. k8splugin version 2.0.0 uses an init container to supply the CA certificates. -External TLS Support --------------------- +External TLS Support - using Cloudify +------------------------------------- External TLS support was introduced in order to integrate DCAE with CertService to acquire operator certificates meant to protect external traffic between DCAE's components (VES collector, HV-VES, RestConf collector and DFC) and xNFs. For that reason K8s plugin which creates K8s resources from Cloudify blueprints was enhanced with new TLS properties support. New TLS properties are meant to control CertService's client call in init containers section and environment variables which are passed to it. @@ -216,3 +216,71 @@ From k8splugin 3.4.1 when external TLS is enabled (use_external_tls=true), keyst * ``trust.jks.bak``: The (original) file with the AAF CA certificate only. * ``trust.pass``: A text file with a single line that contains the password for ``trust.jks`` and ``trust.jks.bak`` file. * ``cacert.pem``: The AAF CA certificate, in PEM form. + +.. _external-tls-helm: + +External TLS Support - Helm based deployment +-------------------------------------------- + +CMPv2 certificates can be enabled and configured via helm values. The feature is switched on only when: + * ``global.cmpv2Enabled`` flag is set to true + * ``certDirectory`` directory where TLS certs should be stored is set (in a specific component) + * flag ``useCmpv2Certificates`` is set to true (in a specific component) + +Default values for certificates are defined in ``global.certificate.default`` and can be overriden during onap installation process. + + .. code-block:: yaml + + global: + certificate: + default: + renewBefore: 720h #30 days + duration: 8760h #365 days + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + +CMPv2 settings can be changed in Helm values. + * ``mountPath`` - the directory within the container where certificates should be mounted + * ``commonName`` - indicates common name which should be present in certificate + * ``dnsNames`` - list of DNS names which should be present in certificate + * ``ipAddresses`` - list of IP addresses which should be present in certificate + * ``uris`` - list of uris which should be present in certificate + * ``emailAddresses`` - list of email addresses which should be present in certificate + * ``outputType`` - indicates certificate output type (jks or p12) + + .. code-block:: yaml + + certificates: + - mountPath: <PATH> + commonName: <COMMON-NAME> + dnsNames: + - <DNS-NAME-1> + - <DNS-NAME-2> + ... + ipAddresses: + ... + uris: + ... + emailAddresses: + ... + keystore: + outputType: + - <OUTPUT-TYPE> + passwordSecretRef: + name: <SECRET-NAME> + key: <PASSWORD-KEY> + create: <SHOULD-CREATE> + +The values can be changed by upgrading a component with modified values, eg. + + .. code-block:: bash + + helm -n onap upgrade <deploymant name> --values <path to updated values> |